Skip to content

tee/optee_supplicant: Added optee supplicant #3141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 25, 2025
Merged

tee/optee_supplicant: Added optee supplicant #3141

merged 1 commit into from
Jul 25, 2025
+591 −0

Conversation

tkaratapanis
Copy link
Contributor

Summary

This PR introduces to nuttx-apps, the OP-TEE supplicant. Since LIBTEEC already downloads a zip file containing the supplicant and the supplicant requires LIBTEEC, I decided to re-use the downloaded artifact from LIBTEEC and apply the supplicant patch on top of it, in the apps/tee/optee_supplicant/optee_client directory.

The build system will expect CONFIG_OPTEE_SUPPLICANT_VERSION to match CONFIG_LIBTEEC_VERSION otherwise
the build will abort with an error message.

The main reason this application is added, is to provide to OP-TEE secure storage. So an expected (and the currently tested) scenario is to run optee_supplicant as a background app in order to allow Trusted Applications (TAs) running in the OP-TEE to have access to secure files. These files are created on the nuttx side, but all their metadata and contents are only known to OP-TEE since they are encrypted before being "transferred" to nuttx.

To enable the supplicant we need the following:

CONFIG_OPTEE_SUPPLICANT=y
CONFIG_LIBTEEC=y

CONFIG_ALLOW_BSD_COMPONENTS=y
CONFIG_FS_ANONMAP=y
CONFIG_DEV_OPTEE_SMC=y
CONFIG_DEV_OPTEE_SUPPLICANT=y

More info:

Impact

No impact to existing users.

Testing

To test the file creation I created 1 nuttx Client Application (CA) and one TA (they are out of scope of this PR and are not included in any way).
The CA invokes the TA by its uuid (145f361e-40f3-11ee-be56-0242ac120002 in this example) and a specific custom function.
In the following scenario the cmd 2 creates a file with some content and then closes the file.
The cmd 3 opens the file by filename and prints the contents (which are the expected).
For this to be possible the optee_supplicant must be running in the background.
The logs follow:

# Run the supplicant in the background, with /data/tee as the filesystem path for OP-TEE
nsh> optee_supplicant -f /data/tee &                                                                                     
optee_supplicant [0:100] 

# Ask OP-TEE to create a secure file, write data to it and then close the file descriptor (cmd 2)
nsh> optee_client 145f361e-40f3-11ee-be56-0242ac120002 2                                                                
I/TA: File created! closing handle!                                                                                                                                                                            
                                                                                                                           
# Ask OP-TEE to open the file and print its contents (cmd 3)
saluki> optee_client 145f361e-40f3-11ee-be56-0242ac120002 3                                                                
I/TA: file found!!                                                                                                         
I/TA: Object content (19 bytes): "Secure OP-TEE data"

@tkaratapanis tkaratapanis force-pushed the optee-supplicant branch 3 times, most recently from 0feb075 to ea0f833 Compare July 23, 2025 17:38
xiaoxiang781216
xiaoxiang781216 reviewed Jul 23, 2025
View reviewed changes
xiaoxiang781216
xiaoxiang781216 reviewed Jul 23, 2025
View reviewed changes
cederom
cederom approved these changes Jul 24, 2025
View reviewed changes
Copy link
Contributor

@cederom cederom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @tkaratapanis :-) Please remember to git commit -s (put a signature on the commits, this is mandatory, see https://github.com/apache/nuttx/blob/master/CONTRIBUTING.md).

@tkaratapanis
tee/optee_supplicant: Added optee supplicant
8befe07 
Support for extracting (from libteec), patching and compiling
optee_client/tee-supplicant by NuttX apps. Defaults to version
4.6.0 (same as the current libteec).

Enabled with:
CONFIG_OPTEE_SUPPLICANT=y
CONFIG_LIBTEEC=y

And the following for the nuttx kernel:

CONFIG_ALLOW_BSD_COMPONENTS=y
CONFIG_FS_ANONMAP=y
CONFIG_DEV_OPTEE_SMC=y
CONFIG_DEV_OPTEE_SUPPLICANT=y

The version of the supplicant needs to match the libteec version
since the patch to be applied might fail otherwise. If the versions
differ the build will be aborted.

More info:
 - https://github.com/OP-TEE/optee_client
 - https://optee.readthedocs.io/en/latest/architecture/secure_storage.html

Signed-off-by: Theodore Karatapanis <tkaratapanis@census-labs.com>
@tkaratapanis
Copy link
Contributor Author

Thank you @tkaratapanis :-) Please remember to git commit -s (put a signature on the commits, this is mandatory, see https://github.com/apache/nuttx/blob/master/CONTRIBUTING.md).

I amended my commit with -s :)

@xiaoxiang781216 xiaoxiang781216 merged commit 72668d7 into apache:master Jul 25, 2025
39 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cederom cederom cederom approved these changes

@jerpelea jerpelea jerpelea approved these changes

@xiaoxiang781216 xiaoxiang781216 xiaoxiang781216 approved these changes

Assignees
No one assigned
Labels
Size: L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tkaratapanis @cederom @jerpelea @xiaoxiang781216